From owner-ietf-openpgp@mail.imc.org Tue Sep 16 00:45:27 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA10944 for ; Tue, 16 Sep 2003 00:45:27 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8G4IEeo001244 for ; Mon, 15 Sep 2003 21:18:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h8G4IEH6001243 for ietf-openpgp-bks; Mon, 15 Sep 2003 21:18:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8G4IDeo001236 for ; Mon, 15 Sep 2003 21:18:13 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h8G4I5005152 for ietf-openpgp@imc.org; Tue, 16 Sep 2003 00:18:05 -0400 Date: Tue, 16 Sep 2003 00:18:05 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Using IDEA in v3-v4 algorithm conflict Message-ID: <20030916041805.GA4845@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (74% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Section 12.1 of the draft says: An implementation that is striving for backward compatibility MAY consider a V3 key with a V3 self-signature to be an implicit preference for IDEA, and no ability to do TripleDES. This is technically non-compliant, but an implementation MAY violate the above rule in this case only and use IDEA to encrypt the message, provided that the message creator is warned. Ideally, though, the implementation would follow the rule by actually generating two messages, because it is possible that the OpenPGP user's implementation does not have IDEA, and thus could not read the message. Consequently, an implementation MAY, but SHOULD NOT use IDEA in an algorithm conflict with a V3 key. This is a problem since the method given (even though it is a SHOULD NOT) doesn't work terribly well in practice as PGP 2.x breaks when it sees *anything* it doesn't understand in a message. For example, the most common OpenPGP encryption (sub)key type is Elgamal. Trying to be backwards compatible by using IDEA in an algorithm conflict between a V3 key and an Elgamal subkey is pointless since PGP 2.x won't be able to handle the message anyway due to the use of Elgamal. Some experimentation shows that using IDEA when having a V3<=>V4 algorithm conflict only works if the V4 (sub)key is: a) RSA and b) <=2112 bits (and everything else in the message is carefully chosen to be at the RFC-1991 level). The above is true for MIT PGP 2.6.2 and PGP 2.6.3ia. I don't know about Disastry's "2.6.3ia-multi05", or any other programs that might implement RFC-1991. I know 2440bis isn't intended as an implementation guide, so details like this are perhaps inappropriate. Still, the wording in the draft can lead a developer down a bad path. It is not unreasonable for that developer to assume that something specified in an RFC is going to work. There are countless ways to fix this (specify RSA and <=2112 bits somewhere, add another implementation note, etc) but it might be simpler to just drop the paragraph altogether. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9mjv0qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJGsEAniZGnMgsCnIqvyFnZj+8J1lJR1jlAKC6 cSKUoKGJaaoZfjKTrIs0VvMQtA== =WvGl -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Sep 16 11:47:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA23026 for ; Tue, 16 Sep 2003 11:47:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GFFteo088264 for ; Tue, 16 Sep 2003 08:15:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h8GFFtdj088262 for ietf-openpgp-bks; Tue, 16 Sep 2003 08:15:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GFFseo088256 for ; Tue, 16 Sep 2003 08:15:54 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP id D3F8910E700 for ; Tue, 16 Sep 2003 08:15:53 -0700 (PDT) Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id h8GFFsKs052950 for ; Tue, 16 Sep 2003 08:15:54 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id h8GFFrws052949 for ietf-openpgp@imc.org; Tue, 16 Sep 2003 08:15:53 -0700 (PDT) Message-Id: <200309161515.h8GFFrws052949@mailserver2.hushmail.com> Date: Tue, 16 Sep 2003 08:15:53 -0700 To: ietf-openpgp@imc.org Subject: Re: Using IDEA in v3-v4 algorithm conflict From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 15 Sep 2003 21:18:05 -0700 David Shaw wrote: >Trying to be >backwards compatible by using IDEA in an algorithm conflict between a >V3 key and an Elgamal subkey is pointless since PGP 2.x won't be able >to handle the message anyway due to the use of Elgamal. >Some experimentation shows that using IDEA when having a V3<=>V4 >algorithm conflict only works if the V4 (sub)key is: >a) RSA and >b) <=2112 bits >The above is true for MIT PGP 2.6.2 and PGP 2.6.3ia. I don't know >about Disastry's "2.6.3ia-multi05", or any other programs that might >implement RFC-1991. it is not a problem at all in Disastry's multi builds, as they accept all symmetrical algorithms, (and all hashes), but by default, will encrypt using idea, and sign with md5, unless configured otherwise, or overriden at the command line (the -j command added at the end of a command, can specify an ovverride and use any algorithm and hash) Disastry's builds are capable of generating keys up to 8k, and have no problems accepting messages simultaneously encrypted to a 4k rsa v4 key. interestingly, it has no problem with the signature of a v4 rsa key either, (no alerts, flags, or error messages at all) it just can't verify it because it won't accept a v4 rsa key into the keyring, but it 'asks' to do so, when given a signature from a v4 rsa key, the same as it would from an unknown v3 rsa key --vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-ietf-openpgp@mail.imc.org Tue Sep 16 20:08:17 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA20595 for ; Tue, 16 Sep 2003 20:08:16 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GNKHeo011950 for ; Tue, 16 Sep 2003 16:20:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h8GNKHX1011949 for ietf-openpgp-bks; Tue, 16 Sep 2003 16:20:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GNKGeo011944 for ; Tue, 16 Sep 2003 16:20:16 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h8GNKDa17056 for ietf-openpgp@imc.org; Tue, 16 Sep 2003 19:20:13 -0400 Date: Tue, 16 Sep 2003 19:20:12 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Using IDEA in v3-v4 algorithm conflict Message-ID: <20030916232012.GA16686@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200309161515.h8GFFrws052949@mailserver2.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200309161515.h8GFFrws052949@mailserver2.hushmail.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (67% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Sep 16, 2003 at 08:15:53AM -0700, vedaal@hush.com wrote: > On Mon, 15 Sep 2003 21:18:05 -0700 David Shaw > wrote: > > >Trying to be > >backwards compatible by using IDEA in an algorithm conflict between > a > >V3 key and an Elgamal subkey is pointless since PGP 2.x won't be able > >to handle the message anyway due to the use of Elgamal. > > >Some experimentation shows that using IDEA when having a V3<=>V4 > >algorithm conflict only works if the V4 (sub)key is: > > >a) RSA > and > >b) <=2112 bits > > >The above is true for MIT PGP 2.6.2 and PGP 2.6.3ia. I don't know > >about Disastry's "2.6.3ia-multi05", or any other programs that might > >implement RFC-1991. > > it is not a problem at all in Disastry's multi builds, as they accept > all symmetrical algorithms, (and all hashes), The issue is unrelated to having sufficient symmetric algorithms, IDEA or otherwise. The issue is that 2.x-derived implementations of PGP cannot cope with the encrypted session key from most v4 (sub)keys. The draft suggests (though does not recommend) using IDEA in an algorithm conflict between v3 and v4 keys in order to improve backwards compatiblity. My point was that this is not necessarily useful advice since the 2.x implementation would likely fail anyway, because of the Elgamal-encrypted session key. There is no backwards compatiblity with a message encrypted to both a v3 and v4 key, unless the v4 key happens to be an RSA key that is <=2112 bits long. Anything else makes the message unusable by PGP 2.x. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9nmqwqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJW/cAniLOGF/CCO3dKWZdf/dtLyoTlwVxAKCM Va3YD7ebUQIw61bLuZhrD7Znig== =rXWx -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GNKHeo011950 for ; Tue, 16 Sep 2003 16:20:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h8GNKHX1011949 for ietf-openpgp-bks; Tue, 16 Sep 2003 16:20:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GNKGeo011944 for ; Tue, 16 Sep 2003 16:20:16 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h8GNKDa17056 for ietf-openpgp@imc.org; Tue, 16 Sep 2003 19:20:13 -0400 Date: Tue, 16 Sep 2003 19:20:12 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Using IDEA in v3-v4 algorithm conflict Message-ID: <20030916232012.GA16686@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200309161515.h8GFFrws052949@mailserver2.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200309161515.h8GFFrws052949@mailserver2.hushmail.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (67% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Sep 16, 2003 at 08:15:53AM -0700, vedaal@hush.com wrote: > On Mon, 15 Sep 2003 21:18:05 -0700 David Shaw > wrote: > > >Trying to be > >backwards compatible by using IDEA in an algorithm conflict between > a > >V3 key and an Elgamal subkey is pointless since PGP 2.x won't be able > >to handle the message anyway due to the use of Elgamal. > > >Some experimentation shows that using IDEA when having a V3<=>V4 > >algorithm conflict only works if the V4 (sub)key is: > > >a) RSA > and > >b) <=2112 bits > > >The above is true for MIT PGP 2.6.2 and PGP 2.6.3ia. I don't know > >about Disastry's "2.6.3ia-multi05", or any other programs that might > >implement RFC-1991. > > it is not a problem at all in Disastry's multi builds, as they accept > all symmetrical algorithms, (and all hashes), The issue is unrelated to having sufficient symmetric algorithms, IDEA or otherwise. The issue is that 2.x-derived implementations of PGP cannot cope with the encrypted session key from most v4 (sub)keys. The draft suggests (though does not recommend) using IDEA in an algorithm conflict between v3 and v4 keys in order to improve backwards compatiblity. My point was that this is not necessarily useful advice since the 2.x implementation would likely fail anyway, because of the Elgamal-encrypted session key. There is no backwards compatiblity with a message encrypted to both a v3 and v4 key, unless the v4 key happens to be an RSA key that is <=2112 bits long. Anything else makes the message unusable by PGP 2.x. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9nmqwqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJW/cAniLOGF/CCO3dKWZdf/dtLyoTlwVxAKCM Va3YD7ebUQIw61bLuZhrD7Znig== =rXWx -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GFFteo088264 for ; Tue, 16 Sep 2003 08:15:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h8GFFtdj088262 for ietf-openpgp-bks; Tue, 16 Sep 2003 08:15:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8GFFseo088256 for ; Tue, 16 Sep 2003 08:15:54 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP id D3F8910E700 for ; Tue, 16 Sep 2003 08:15:53 -0700 (PDT) Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) by mailserver2.hushmail.com (8.12.6/8.12.3) with ESMTP id h8GFFsKs052950 for ; Tue, 16 Sep 2003 08:15:54 -0700 (PDT) (envelope-from vedaal@hush.com) Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id h8GFFrws052949 for ietf-openpgp@imc.org; Tue, 16 Sep 2003 08:15:53 -0700 (PDT) Message-Id: <200309161515.h8GFFrws052949@mailserver2.hushmail.com> Date: Tue, 16 Sep 2003 08:15:53 -0700 To: ietf-openpgp@imc.org Cc: Subject: Re: Using IDEA in v3-v4 algorithm conflict From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 15 Sep 2003 21:18:05 -0700 David Shaw wrote: >Trying to be >backwards compatible by using IDEA in an algorithm conflict between a >V3 key and an Elgamal subkey is pointless since PGP 2.x won't be able >to handle the message anyway due to the use of Elgamal. >Some experimentation shows that using IDEA when having a V3<=>V4 >algorithm conflict only works if the V4 (sub)key is: >a) RSA and >b) <=2112 bits >The above is true for MIT PGP 2.6.2 and PGP 2.6.3ia. I don't know >about Disastry's "2.6.3ia-multi05", or any other programs that might >implement RFC-1991. it is not a problem at all in Disastry's multi builds, as they accept all symmetrical algorithms, (and all hashes), but by default, will encrypt using idea, and sign with md5, unless configured otherwise, or overriden at the command line (the -j command added at the end of a command, can specify an ovverride and use any algorithm and hash) Disastry's builds are capable of generating keys up to 8k, and have no problems accepting messages simultaneously encrypted to a 4k rsa v4 key. interestingly, it has no problem with the signature of a v4 rsa key either, (no alerts, flags, or error messages at all) it just can't verify it because it won't accept a v4 rsa key into the keyring, but it 'asks' to do so, when given a signature from a v4 rsa key, the same as it would from an unknown v3 rsa key --vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8G4IEeo001244 for ; Mon, 15 Sep 2003 21:18:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h8G4IEH6001243 for ietf-openpgp-bks; Mon, 15 Sep 2003 21:18:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.132.70]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h8G4IDeo001236 for ; Mon, 15 Sep 2003 21:18:13 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h8G4I5005152 for ietf-openpgp@imc.org; Tue, 16 Sep 2003 00:18:05 -0400 Date: Tue, 16 Sep 2003 00:18:05 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Using IDEA in v3-v4 algorithm conflict Message-ID: <20030916041805.GA4845@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (74% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Section 12.1 of the draft says: An implementation that is striving for backward compatibility MAY consider a V3 key with a V3 self-signature to be an implicit preference for IDEA, and no ability to do TripleDES. This is technically non-compliant, but an implementation MAY violate the above rule in this case only and use IDEA to encrypt the message, provided that the message creator is warned. Ideally, though, the implementation would follow the rule by actually generating two messages, because it is possible that the OpenPGP user's implementation does not have IDEA, and thus could not read the message. Consequently, an implementation MAY, but SHOULD NOT use IDEA in an algorithm conflict with a V3 key. This is a problem since the method given (even though it is a SHOULD NOT) doesn't work terribly well in practice as PGP 2.x breaks when it sees *anything* it doesn't understand in a message. For example, the most common OpenPGP encryption (sub)key type is Elgamal. Trying to be backwards compatible by using IDEA in an algorithm conflict between a V3 key and an Elgamal subkey is pointless since PGP 2.x won't be able to handle the message anyway due to the use of Elgamal. Some experimentation shows that using IDEA when having a V3<=>V4 algorithm conflict only works if the V4 (sub)key is: a) RSA and b) <=2112 bits (and everything else in the message is carefully chosen to be at the RFC-1991 level). The above is true for MIT PGP 2.6.2 and PGP 2.6.3ia. I don't know about Disastry's "2.6.3ia-multi05", or any other programs that might implement RFC-1991. I know 2440bis isn't intended as an implementation guide, so details like this are perhaps inappropriate. Still, the wording in the draft can lead a developer down a bad path. It is not unreasonable for that developer to assume that something specified in an RFC is going to work. There are countless ways to fix this (specify RSA and <=2112 bits somewhere, add another implementation note, etc) but it might be simpler to just drop the paragraph altogether. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9mjv0qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJGsEAniZGnMgsCnIqvyFnZj+8J1lJR1jlAKC6 cSKUoKGJaaoZfjKTrIs0VvMQtA== =WvGl -----END PGP SIGNATURE-----